Google Admits To Android Security Flaw; Says Issue Resolved

By IBT Staff Reporter On 05/18/11 AT 4:14 PM

Google announced it has fixed a possible security flaw, which would expose contact, calendar and photo data through Wi-Fi.

A report from researchers at Ulm University's Institute of Media Formatics said certain apps for Google Android phones use an authentication service named ClientLogin. This service, which is used to authorize the transfer of sensitive data to Web-based services, had a flaw that exposed consumer data to hackers.

The researchers noticed when ClientLogin sent an authentication token over an insecure HTTP connection when being used in an open W-Fi network, an eavesdropper could get access to the user's authentication information. This information would allow the hacker to get access to the users' calendar and contacts. Google admitted this flaw existed and said it has been put under wraps.

Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third-party access to data available in Calendar and Contacts. This fix requires no action from users and will roll out globally over the next few days, a Google spokesman said in a statement.

The fix forces all Google Calendar and Contacts servers over to connected over https (Hyper Text Transfer Protocol Secure). This would mean someone on an open Wi-Fi network wouldn't able to grab authentication tokens used by the operating system to validate devices.

The security flaw impacted any Android phone from version 2.3.4 for contacts, calendars and Picasa Web albums. It also affected tablet consumers with Android 3.0.